forked from walters954/why-salesforce
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
updated security vulnerability for notSalesforceSetup
- Loading branch information
Alfredo
committed
Dec 18, 2024
1 parent
496c4ec
commit b05296d
Showing
3 changed files
with
52 additions
and
26 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -12,7 +12,7 @@ body > div { | |
font-weight: normal; | ||
} | ||
|
||
& > a { | ||
& > .button { | ||
width: 10rem; | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,26 +1,46 @@ | ||
// deno-lint-ignore-file no-window | ||
const authorizedDomainRegex = /https:\/\/.*\.lightning\.force\.com/; | ||
const page = new URLSearchParams(window.location.search).get("url"); | ||
const textEl = document.querySelector("h3"); | ||
const sfsetupTextEl = document.querySelector("h3"); | ||
|
||
const div = document.createElement("div"); | ||
const prefix = document.createTextNode("This is not a ") | ||
const strongEl = document.createElement("strong") | ||
const otherText = document.createTextNode(); | ||
const otherText = document.createTextNode(""); | ||
|
||
sfsetupTextEl.innerText = ""; | ||
sfsetupTextEl.appendChild(div); | ||
let insertPrefix = true; | ||
let strongFirst = true; | ||
|
||
if (page != null) { // we're in a salesforce page | ||
// switch which button is shown | ||
document.getElementById("login").classList.add("hidden"); | ||
const goSetup = document.getElementById("go-setup"); | ||
goSetup.classList.remove("hidden"); | ||
// update the button href to use the domain | ||
const domain = page.substring(0, page.indexOf("/lightning")); | ||
goSetup.href = `${domain}/lightning/setup/SetupOneHome/home`; | ||
// update the bold on the text | ||
otherText = "Salesforce Lightning"; | ||
strongEl = "Setup Page" | ||
// Validate the domain (make sure it's a Salesforce domain) | ||
if (!authorizedDomainRegex.test(page)) { | ||
strongEl.textContent = "Invalid Salesforce"; | ||
otherText.textContent = "domain detected."; | ||
insertPrefix = false; | ||
} else { | ||
// switch which button is shown | ||
document.getElementById("login").classList.add("hidden"); | ||
const goSetup = document.getElementById("go-setup"); | ||
goSetup.classList.remove("hidden"); | ||
// update the button href to use the domain | ||
const domain = page.substring(0, page.indexOf("/lightning")); | ||
goSetup.href = `${domain}/lightning/setup/SetupOneHome/home`; | ||
Check warning Code scanning / CodeQL Client-side URL redirect Medium
Untrusted URL redirection depends on a
user-provided value Error loading related location Loading Check failure Code scanning / CodeQL Client-side cross-site scripting High
Cross-site scripting vulnerability due to
user-provided value Error loading related location Loading |
||
// update the bold on the text | ||
otherText.textContent = "Salesforce Lightning"; | ||
strongEl.textContent = " Setup Page" | ||
strongFirst = false; | ||
} | ||
} else { | ||
strongEl.textContent = "Salesforce Lightning"; | ||
otherText.textContent = " Setup Page"; | ||
} | ||
insertPrefix && div.appendChild(prefix); | ||
if(strongFirst){ | ||
div.appendChild(strongEl); | ||
div.appendChild(otherText) | ||
} else { | ||
strongEl = "Salesforce Lightning"; | ||
otherText = "Setup Page"; | ||
div.appendChild(otherText) | ||
div.appendChild(strongEl); | ||
} | ||
textEl.innerText = ""; | ||
textEl.insertAdjacentHTML("beforeend", text); |